TL;DR: AI pilots often look successful in demos but remain cost centers until identity, security, observability, and scoped delegation are engineered for production scale, according to Strata Identity. The limiting factor is not model quality alone, but the governance gap that leaves agents over-permissioned, untraceable, and impossible to approve at scale.
NHIMG editorial — based on content published by Strata Identity: The Most Expensive Mistake in Enterprise AI
By the numbers:
- A pilot that resolves 10 support tickets delivers roughly $750 in value against a $500,000 build cost.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams move AI pilots into production without over-permissioning agents?
A: Security teams should require task-scoped delegation, proof-of-possession binding, and a complete identity inventory before production release.
Q: Why do AI pilots often fail security review even when the demo works?
A: They usually fail because the identity model is too loose for production.
Q: What signals show that an AI workflow is ready for production governance?
A: Readiness is visible when every transaction can be replayed, every token is bound to its requester, and access scope shrinks with each delegation step.
Practitioner guidance
- Inventory every agent identity before scaling Create a complete inventory of pilot and production agent identities, including shared credentials, delegated tokens, and sub-agent relationships.
- Replace broad pilot access with task-scoped delegation Use token exchange patterns to ensure each agent receives only the access needed for the current workflow step.
- Build replayable audit evidence into the workflow Capture who initiated each action, what policy allowed it, what resource was touched, and how the transaction executed.
What's in the full article
Strata Identity's full article covers the operational detail this post intentionally leaves for the source:
- A 30-day production-readiness sequence showing how identity orchestration, token exchange, and audit capture are implemented in practice.
- The specific control mechanics behind DPoP binding and scope reduction for production agent access.
- The sandbox validation approach used to test scale, approval paths, and evidence capture before release.
- The business-case framing that links governance controls to production ROI and board approval.
👉 Read Strata Identity's analysis of why AI pilots fail without identity and security →
AI pilot to production: why identity and security keep blocking scale?
Explore further
Identity controls built for human-paced approval do not survive AI pilot-to-production transitions. The production problem is not whether the model can perform the task. It is whether the governing identity model can still distinguish actors, scope, and accountability once the same workflow runs at machine speed and at scale. That is why identity orchestration, not model tuning, becomes the gating function for production readiness.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why pilot-era identity sprawl so often becomes production-era risk.
A question worth separating out:
Q: Who should approve AI agent access before customer-facing deployment?
A: IAM, PAM, security, and compliance owners should approve the access model together. They need to verify identity attribution, least-privilege scope, auditability, and rollback procedures before release. Without that shared approval, production risk shifts from the technology stack to the governance process.
👉 Read our full editorial: AI pilot production fails when identity and security are missing